Closed WenTao-Love closed 4 years ago
Please answer some questions before submitting your issue. Thanks!
v2.1.1
希望xxl-job-admin前端页面登录时,不要明文登录,至少可以有效防范postMan之类的登录
实际在login.1.js中就是明文传输密码
login.1.js中的loginFormValid的submitHandler()方法
改善: 1.下载两个前端加密脚本 bcrypt.js md5.js 2.在login.ftl中引入
3.在login.1.js中修改submitHandler ()方法 submitHandler : function(form) { var bcrypt = dcodeIO.bcrypt; var _index = layer.load(); var _p = form.password.value; var hhmd5 = hex_hmac_md5(form.userName.value,hex_md5(_p)); form.password.value = bcrypt.hashSync(hhmd5, bcrypt.genSaltSync(12)); $.post(base_url + "/login", $loginForm.serialize(), function(data, status) { if (data.code == "200") { layer.msg( I18n.login_success ); setTimeout(function(){ window.location.href = base_url; }, 500); } else { layer.open({ title: I18n.system_tips, btn: [ I18n.system_ok ], content: (data.msg || I18n.login_fail ), icon: '2', end: function(){ form.password.value = _p; layer.close(_index); } }); } }); } 4.在pom.xml中引入 `
<artifactId>hutool-crypto</artifactId> <version>5.1.0</version>
` 5.修改LoginService.java中的login()方法 // String passwordMd5 = DigestUtils.md5DigestAsHex(password.getBytes()); // if (!passwordMd5.equals(xxlJobUser.getPassword())) { // return new ReturnT(500, I18nUtil.getString("login_param_unvalid")); // } String passwordMd5 = SecureUtil.hmacMd5(username).digestHex(xxlJobUser.getPassword()); if (!BCrypt.checkpw(passwordMd5, password)) { return new ReturnT(500, I18nUtil.getString("login_param_unvalid")); }
至此,登录密码安全加固完成。谢谢
你好,担心明文问题可以启用https协议。
Please answer some questions before submitting your issue. Thanks!
Which version of XXL-JOB do you using?
v2.1.1
Expected behavior
希望xxl-job-admin前端页面登录时,不要明文登录,至少可以有效防范postMan之类的登录
Actual behavior
实际在login.1.js中就是明文传输密码
Steps to reproduce the behavior
login.1.js中的loginFormValid的submitHandler()方法
Other information
改善: 1.下载两个前端加密脚本 bcrypt.js md5.js 2.在login.ftl中引入
3.在login.1.js中修改submitHandler ()方法 submitHandler : function(form) {
var bcrypt = dcodeIO.bcrypt;
var _index = layer.load();
var _p = form.password.value;
var hhmd5 = hex_hmac_md5(form.userName.value,hex_md5(_p));
form.password.value = bcrypt.hashSync(hhmd5, bcrypt.genSaltSync(12));
$.post(base_url + "/login", $loginForm.serialize(), function(data, status) {
if (data.code == "200") {
layer.msg( I18n.login_success );
setTimeout(function(){
window.location.href = base_url;
}, 500);
} else {
layer.open({
title: I18n.system_tips,
btn: [ I18n.system_ok ],
content: (data.msg || I18n.login_fail ),
icon: '2',
end: function(){
form.password.value = _p;
layer.close(_index);
}
});
}
});
} 4.在pom.xml中引入 `
`(500, I18nUtil.getString("login_param_unvalid"));
// }
String passwordMd5 = SecureUtil.hmacMd5(username).digestHex(xxlJobUser.getPassword());
if (!BCrypt.checkpw(passwordMd5, password)) {
return new ReturnT(500, I18nUtil.getString("login_param_unvalid"));
}
5.修改LoginService.java中的login()方法 // String passwordMd5 = DigestUtils.md5DigestAsHex(password.getBytes()); // if (!passwordMd5.equals(xxlJobUser.getPassword())) { // return new ReturnT
至此,登录密码安全加固完成。谢谢